Can't SSH into my 2911 Router from Outside Network

Unanswered Question
Mar 15th, 2012
User Badges:

Hi All!


   Got a strange problem here. We can't seem to SSH from the outside network into our router. Our router config looks straight forward enough. Can someone please take a look? Appreciate it!


-Tom



!

! Last configuration change at 10:41:22 zone Thu Mar 15 2012 by tssconsult

! NVRAM config last updated at 11:19:12 zone Thu Mar 15 2012 by tssconsult

!

version 15.0

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname **********************

!

boot-start-marker

boot-end-marker

!

logging buffered 51200 warnings

!

aaa new-model

!

!

aaa authentication fail-message ^CCCLogin Failed Unauthorized access and use of this network will be vigorously prosecuted.^C

--More--                          aaa authentication login default local

aaa authentication login user local

aaa authentication login userauthen local

aaa authorization console

aaa authorization exec default local

aaa authorization exec con local

aaa authorization network stivpnusers local

!

!

!

!

!

aaa session-id common

!

!

!

clock timezone PST -8

clock summer-time zone recurring

!

no ipv6 cef

ip source-route

no ip gratuitous-arps

ip cef

--More--                          !

!

no ip dhcp use vrf connected

ip dhcp excluded-address 192.9.214.1 192.9.214.59

ip dhcp excluded-address 192.9.214.101 192.9.214.254

!

ip dhcp pool sdm-pool1

   import all

   network 192.9.214.0 255.255.255.0

   domain-name ***************

   default-router 192.9.214.50

   dns-server 8.8.8.8 4.2.2.2

!

!

ip flow-cache timeout active 1

no ip bootp server

ip domain name sbycab.com

ip name-server 68.238.64.12

ip name-server 68.238.96.12

ip inspect name myfw icmp

ip inspect name myfw tcp

ip inspect name myfw udp

ip inspect name myfw cuseeme

--More--                          ip inspect name myfw dns

ip inspect name myfw ftp

ip inspect name myfw h323

ip inspect name myfw https

ip inspect name myfw imap

ip inspect name myfw pop3

ip inspect name myfw netshow

ip inspect name myfw rcmd

ip inspect name myfw realaudio

ip inspect name myfw rtsp

ip inspect name myfw esmtp

ip inspect name myfw sqlnet

ip inspect name myfw streamworks

ip inspect name myfw tftp

ip inspect name myfw vdolive

!

multilink bundle-name authenticated

!

!

!

crypto pki trustpoint TP-self-signed-1413036665

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-1413036665

--More--                           revocation-check none

rsakeypair TP-self-signed-1413036665

!

!

crypto pki certificate chain TP-self-signed-1413036665

certificate self-signed 01

30820253 308201BC A0030201 02020101 300D0609 2A864886 F70D0101 04050030

31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274


    quit

license udi pid CISCO2911/K9 sn *******************

!

!

username ******************* privilege 15 secret 5 **************************

!

redundancy

!

!

ip ssh time-out 30

ip ssh authentication-retries 2

!

!

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key ***************************** address 0.0.0.0 0.0.0.0

!

!

--More--                          crypto ipsec transform-set strong esp-3des esp-md5-hmac

mode transport

crypto ipsec transform-set newset esp-3des esp-sha-hmac

mode transport

crypto ipsec transform-set myset esp-3des esp-md5-hmac

!

crypto ipsec profile cisco

set security-association lifetime seconds 120

set transform-set newset

!

!

bridge irb

!

!

!

!

interface Tunnel0

bandwidth 1000

ip address 2.2.2.3 255.255.255.0

no ip redirects

ip mtu 1440

ip nhrp authentication ****************

ip nhrp map multicast dynamic

--More--                           ip nhrp map 2.2.2.1 ****************

ip nhrp map multicast *********************

ip nhrp network-id 1

ip nhrp holdtime 300

ip nhrp nhs 2.2.2.1

ip tcp adjust-mss 1360

no ip split-horizon eigrp 90

tunnel source GigabitEthernet0/2

tunnel mode gre multipoint

tunnel key 0

tunnel protection ipsec profile cisco

crypto ipsec df-bit clear

!

!

interface GigabitEthernet0/0

description Inside Network

ip address 192.9.214.50 255.255.255.0

ip flow ingress

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

--More--                          !

interface GigabitEthernet0/1

ip address 172.22.23.6 255.255.255.252

ip flow ingress

duplex auto

speed auto

no cdp enable

!

!

interface GigabitEthernet0/2

ip address *******************  255.255.255.248

ip flow ingress

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

no cdp enable

!

!

!

router eigrp 90

network 2.2.2.0 0.0.0.255

--More--                           network 192.9.214.0

no eigrp log-neighbor-changes

!

router rip

version 2

redistribute connected

redistribute eigrp 90 metric 1

network 172.22.0.0

no auto-summary

!

ip forward-protocol nd

!

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip flow-export source GigabitEthernet0/0

ip flow-export version 5

ip flow-export destination ********************

!

ip nat inside source list 10 interface GigabitEthernet0/2 overload

ip route 0.0.0.0 0.0.0.0 ********************

!

--More--                          access-list 10 permit 192.9.214.0 0.0.0.255

!

!

!

!

!

snmp-server community y3r3Van! RO

snmp-server ifindex persist

snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart

snmp-server enable traps vrrp

snmp-server enable traps eigrp

snmp-server enable traps tty

snmp-server enable traps ospf state-change

snmp-server enable traps ospf errors

snmp-server enable traps ospf retransmit

snmp-server enable traps ospf lsa

snmp-server enable traps ospf cisco-specific state-change nssa-trans-change

snmp-server enable traps ospf cisco-specific state-change shamlink interface-old

snmp-server enable traps ospf cisco-specific state-change shamlink neighbor

snmp-server enable traps ospf cisco-specific errors

snmp-server enable traps ospf cisco-specific retransmit

snmp-server enable traps ospf cisco-specific lsa

snmp-server enable traps flash insertion removal

--More--                          snmp-server enable traps isdn call-information

snmp-server enable traps isdn layer2

snmp-server enable traps isdn chan-not-avail

snmp-server enable traps isdn ietf

snmp-server enable traps bgp

snmp-server enable traps aaa_server

snmp-server enable traps atm subif

snmp-server enable traps config-copy

snmp-server enable traps config

snmp-server enable traps entity

snmp-server enable traps fru-ctrl

snmp-server enable traps event-manager

snmp-server enable traps hsrp

snmp-server enable traps ipmulticast

snmp-server enable traps msdp

snmp-server enable traps mvpn

snmp-server enable traps pim neighbor-change rp-mapping-change invalid-pim-message

snmp-server enable traps cpu threshold

snmp-server enable traps rsvp

snmp-server enable traps syslog

snmp-server enable traps l2tun session

snmp-server enable traps vtp

--More--                          snmp-server enable traps ipsla

snmp-server enable traps firewall serverstatus

snmp-server enable traps isakmp policy add

snmp-server enable traps isakmp policy delete

snmp-server enable traps isakmp tunnel start

snmp-server enable traps ipsec cryptomap attach

snmp-server enable traps ipsec cryptomap detach

snmp-server enable traps ipsec tunnel start

snmp-server enable traps ipsec tunnel stop

snmp-server enable traps ipsec too-many-sas

snmp-server host ***************************

!

control-plane

!

!

bridge 1 protocol ieee

bridge 1 route ip

banner motd ^CC

###############################################################################

#                                                                             #

# WARNING: You are connected to a Secure Network                             #

# Unauthorized access and use of this network will be vigorously prosecuted. #

#                                                                             #

--More--                          ###############################################################################

^C

!

line con 0

exec-timeout 30 0

privilege level 15

authorization exec con

logging synchronous

login authentication con

transport preferred none

transport output none

line aux 0

line vty 0 4

exec-timeout 30 0

privilege level 15

password 7 **************

logging synchronous

transport input ssh

!

scheduler allocate 20000 1000

!

webvpn context Default_context

ssl authenticate verify all

--More--                           !

no inservice

!

end

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Marvin Rhoads Thu, 03/15/2012 - 19:33
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,
  • Cisco Designated VIP,

    2017 Firewalling, Network Management, VPN

The config appears to be set up to allow ssh to the vty. Has it ever worked? What are you seeing from your client when you try?

milkboy33 Thu, 03/15/2012 - 20:10
User Badges:

Yea SSH is not a problem from any of our internal network. We could also SSH to it while on the router to it's external IP.


The only problem is trying to SSH to it on it's external IP from anywhere OUTSIDE. There is no firewall on the outside interface. It connects directly to the ISPs equipment.

Marvin Rhoads Fri, 03/16/2012 - 03:56
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,
  • Cisco Designated VIP,

    2017 Firewalling, Network Management, VPN

Strange. It looks an awful lot like an upstream (ISP) access-list preventing ssh. Your router obviously allows it and there's nothing in the config you posted to restrict it.

SergeyWinda Fri, 03/16/2012 - 05:01
User Badges:

So, with default factory settings it must accept incoming ssh connections from external sources?


Sent from Cisco Technical Support iPad App

Marvin Rhoads Fri, 03/16/2012 - 07:59
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,
  • Cisco Designated VIP,

    2017 Firewalling, Network Management, VPN

Yes, as long as the router or switch is running an image with cryptographic support ("k9" in image name) and you have generated an RSA key for ssh, it will accept all ssh login requests (in the absence of any access list or firewall setting to prohibit them) and evaluate the credentials presented for login based on the authentication methods configured on the device.

Dennis Leon Mon, 05/07/2012 - 15:52
User Badges:

Has anyone solved this problem? I have a similar situation....My router has two interfaces; one connecting to the WAN of the network, from where I can SSH into it when I connect via VPN to the network. But the router has another interface directly connected to the Internet and I cannot SSH to that interface (I tried with and without VPN connection, there is a split tunneling rule, anyways, so this should not be a problem).


The default route is pointing to the Internet and I also created an ACL for monitoring purposes on the Internet's interface and it shows the SSH packets hitting the interface.


The SSH debugs are not really helpful tough....Any insights?


Thanks.

Actions

This Discussion